PRIVACY NOTICE

FOR TRAINEES, ECTs, EMPLOYEES, CONSULTANTS, MENTORS, CONTRACTORS, PARTNER SCHOOL AND PARTNER ORGANISTATIONS

ABOUT THIS DOCUMENT

Suffolk and Norfolk SCITT is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to all trainees, employees, consultants, mentors, contractors, partner schools and partner organisations, but does not form part of any contract of employment or other contract to provide services. 

Suffolk and Norfolk SCITT is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. We may amend this notice at any time.

Suffolk and Norfolk SCITT has appointed a Data Protection Officer from School’s Choice Data Protection Service as its data protection officer. Her role is to inform and advise the organisation on its data protection obligations. She can be contacted at data.protection@schoolschoice.org and questions about this policy, or requests for further information, should be directed to her.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection. These are data about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, genetic or biometric data.

We will collect, store, and use some or all of the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses 
  • Date of birth
  • Gender
  • Marital status and dependants 
  • Next of kin and emergency contact information
  • National Insurance number
  • Bank account details, payroll records and tax status information (trainees in receipt of bursaries, employees and consultants only) 
  • Salary, annual leave, pension and benefits information (employees only – held on SCC HR system)
  • Start date
  • Location of employment workplace or placement school (trainees, mentors and employees only)
  • Copy of driving licence /Passport /Identity documents (trainees, employees, consultants only)
  • Recruitment information (including UCAS application forms, copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
  • Employment records (including job titles, work history, working hours, training records and professional memberships) (trainees, employees, consultants only)
  • Performance information (trainees, including but not limited to termly reports, assignment grades, lesson observation feedback / employees PDR information – held on SCC HR system)
  • Disciplinary and grievance information.
  • Information about your use of our information and communications systems.
  • Photographs (trainees, employees and consultants only)
  • Video (trainees, lesson observations and assignment presentations)

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your race or ethnicity 
  • Information about your health, including any medical condition, health and sickness records.
  • Information from the Cambridge Personal Styles Questionnaire
  • Information about criminal convictions and offences.

How is your personal information collected?

We collect personal information about trainees, employees, consultants, mentors, contractors, partner schools and partner organisations either directly from candidates and referees or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or other background check agencies 

We will collect additional personal information in the course of job-related or training-related activities throughout the period of you working for us or training with us.

How we will use information about you

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform the contract we have entered into with you.
  2. Where we need to comply with a legal obligation.
  3. Where it is necessary for our legitimate interests (or those of a third party) as long as this interest does not affect your interests or infringe your fundamental rights, in particular your right to privacy

We may also use your personal information in the following situations, which are likely to be rare:

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest or for official purposes.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you, training you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Consent

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. 

Data sharing

We may share your data with third parties, including third-party service providers, where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We require third parties to respect the security of your data and to treat it in accordance with the law. In the case of trainees, we will share performance and other data with the University of Suffolk, placement school staff, schools requesting employment references, mentors and personal tutors.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Transferring information outside the EU – (applicants and trainees only) 

We will transfer the personal information we collect about you to certain countries outside the EU, in order to perform our contract with you as we use Google Drive as our Virtual Learning Environment. Occasionally, we may also transfer files using DropBox or WeTransfer when we are unable to use email. We will ensure that your personal information receives an adequate level of protection and is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.

Security

We have appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a training or business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

Data on unsuccessful applicants to our courses (paper and electronic) will be kept for 1 academic year and then destroyed.

Data on trainees (paper and electronic) will be kept for 7 years after training is completed and will then be destroyed. 

We will keep a record of the personal email addresses of ECTs so that we can stay in contact to offer support after the course is complete. 

Rights of access, correction, erasure, and restriction 

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. 

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). 
  • Request correction of the personal information that we hold about you. 
  • Request erasure of your personal information. 
  • Object to processing of your personal information.
  • Request the restriction of processing of your personal information. 
  • Request the transfer of your personal information to another party. 

Contact

For further information about your rights, or if you have any questions about this privacy notice or how we handle your personal information, please contact Anna Richards, Executive Leader Suffolk and Norfolk SCITT (anna.richards@suffolk.gov.uk) You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

You will be asked to complete an acknowledgment form to confirm that you have read and understood both the Suffolk and Norfolk SCITT Privacy Notice and Data Protection Policy.

By signing this acknowledgement, you are agreeing to your data being processed as outlined in the Privacy Notice and agreeing to follow the Data Protection Policy at all times.

Written and agreed: May 2018

Updated: August 2018

Reviewed: July 2021

Next Review: August 2022

DATA PROTECTION POLICY

Introduction Suffolk and Norfolk SCITT is committed to being transparent about how it collects and uses the personal data of its trainees, employees, consultants, mentors, contractors, partner schools and partner organisations and to meeting its data protection obligations.

This policy sets out Suffolk and Norfolk SCITT’s commitment to data protection, and individual rights and obligations in relation to personal data.

Suffolk and Norfolk SCITT has appointed a Data Protection Officer from the Suffolk School’s Choice Data Protection Service as its data protection officer. Her role is to inform and advise the organisation on its data protection obligations. She can be contacted at data.protection@schoolschoice.org and questions about this policy, or requests for further information, should be directed to her.

Definitions

• Personal data – any information that relates to an individual who can be identified from that information.

• Processing – any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

• Special categories of personal data – means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

• Criminal records data – means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data Protection Principles

Suffolk and Norfolk SCITT processes personal data in accordance with the following data protection principles:

• Suffolk and Norfolk SCITT processes personal data lawfully, fairly and in a transparent manner.

• Suffolk and Norfolk SCITT collects personal data only for specified, explicit and legitimate purposes.

• Suffolk and Norfolk SCITT processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.

• Suffolk and Norfolk SCITT keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.

• Suffolk and Norfolk SCITT keeps personal data only for the period necessary for processing.

• Suffolk and Norfolk SCITT adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

• Suffolk and Norfolk SCITT tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.

Where Suffolk and Norfolk SCITT processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with the General Data Protection Regulation (GDPR).

Suffolk and Norfolk SCITT will update personal data promptly if an individual advises that their information has changed or is inaccurate. Data gathered is held in:

• Trainee personal and progress files (in hard copy or electronic format, or both)

• Unsuccessful applicants’ recruitment and selection paperwork (in hard copy or electronic format, or both)

• Employee and consultant files (in hard copy or electronic format, or both)

• On Suffolk County Council’s and Norfolk County Council’s HR systems

1 The periods for which Suffolk and Norfolk SCITT holds personal data are contained in its privacy notices/ retention schedule. The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Data Retention

Suffolk and Norfolk SCITT maintains a retention schedule which is based on guidance from the information and records management society: http://www.irms.org.uk/resources/information-guides/199-rmtoolkit-for-school

We will only retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Data on unsuccessful applicants to our courses (paper and electronic) will be kept for 1 academic year and then destroyed.

Data on trainees (paper and electronic) will be kept for 7 years after training is completed and will then be destroyed.

We will keep a record of the personal email addresses of EQTs so that we can stay in contact to offer support after the course is complete.

Individual Rights

As a data subject, individuals have a number of rights in relation to their personal data.

Subject Access Requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, Suffolk and Norfolk SCITT will tell them:

• whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;

• to whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;

• for how long their personal data is stored (or how that period is decided);

• their rights to rectification or erasure of data, or to restrict or object to processing;

• their right to complain to the Information Commissioner if they think the Suffolk and Norfolk SCITT has failed to comply with their data protection rights.

Suffolk and Norfolk SCITT will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

To make a subject access request, the individual should complete the relevant form/send the request to anna.richards@suffolk.gov.uk. In some cases, the Suffolk and Norfolk SCITT may need to ask for proof of identification before the request can be processed.

Suffolk and Norfolk SCITT will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Suffolk and Norfolk SCITT processes large amounts of the individual’s data, it may respond within three months of the date the request is received. Suffolk and Norfolk SCITT will write to the individual within one month of receiving the original request to tell them if this is the case.

If a subject access request is manifestly unfounded or excessive, Suffolk and Norfolk SCITT is not obliged to comply with it. Alternatively, Suffolk and Norfolk SCITT can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which Suffolk and Norfolk SCITT has

2 already responded. If an individual submits a request that is unfounded or excessive, Suffolk and Norfolk SCITT will notify them that this is the case and whether it will respond to it.

Other Rights

Individuals have a number of other rights in relation to their personal data. They can require Suffolk and Norfolk SCITT to:

• rectify inaccurate data;

• stop processing or erase data that is no longer necessary for the purposes of processing;

• stop processing or erase data if the individual’s interests override Suffolk and Norfolk SCITTs legitimate grounds for processing data (where the Suffolk and Norfolk SCITT relies on its legitimate interests as a reason for processing data);

• stop processing or erase data if processing is unlawful; and

• stop processing data for a period if data is inaccurate or if there is a dispute about whether the individual’s interests override Suffolk and Norfolk SCITT’s legitimate grounds for processing data.

To ask Suffolk and Norfolk SCITT to take any of these steps, the individual should send the request to anna.richards@suffolk.gov.uk.

Freedom of Information

Suffolk and Norfolk SCITT is subject to The Freedom of Information Act 2000 (FOI) and Environmental Information Regulations 2004 (EIR) and all requests for information that is not personal information must be treated as a FOI or EIR. These requests must be fully responded within 20 working days by law. The information will be provided unless Suffolk and Norfolk SCITT can provide an exemption or exception under the FOI act or EIR respectively.

Data Security

Suffolk and Norfolk SCITT takes the security of personal data seriously. It has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. Suffolk and Norfolk SCITT is working towards a clear desk policy.

Where Suffolk and Norfolk SCITT engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

An Information Risk Register will be created and maintained by Suffolk and Norfolk SCITT which summarises each information asset the organisation maintains. Appropriate measures will be taken to mitigate the risk of disclosure of each information asset based on the impact level assigned.

Data Breaches

If Suffolk and Norfolk SCITT discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. Suffolk and Norfolk SCITT will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

Individual Responsibilities Individuals are responsible for helping Suffolk and Norfolk SCITT keep their personal data up to date. Individuals should let Suffolk and Norfolk SCITT know if data provided to the organisation changes, for example if an individual moves house.

Individuals may have access to the personal data of other individuals in the course of their employment. Where this is the case, Suffolk and Norfolk SCITT relies on individuals to help meet its data protection obligations.

Individuals who have access to personal data are required:

3 • to access only data that they have authority to access and only for authorised purposes;

• not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;

• to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);

• not to remove personal data, or devices containing or that can be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

Training

Suffolk and Norfolk SCITT will provide training to all individuals (including trainees and consultants) about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Suffolk and Norfolk SCITT Staff

• All staff sign the Suffolk and Norfolk SCITT Privacy Statement and have an annual data protection briefing.

• All staff have received a copy of the Suffolk and Norfolk SCITT Data Protection Policy and sign to say they have read and understood it.

• Suffolk and Norfolk SCITT staff will keep data on trainees on Google Drive or the relevant Suffolk or Norfolk County Council networks which are fully secure.

Trainees

• All trainees sign the Suffolk and Norfolk SCITT Privacy Statement and agree that their information can be shared with Suffolk and Norfolk SCITT staff, consultants, staff in partnership schools and the University of Suffolk where it is necessary in order for us to fulfil the training contract that we have entered into with them.

• All trainees have a GDPR briefing session prior to coming into school so they understand the importance of data protection. They understand that they must know and act on each school’s own data protection policy.

• All trainees receive a copy of the Suffolk and Norfolk SCITT Data Protection Policy and sign to say they have read and understood it

• All trainees use their Suffolk and Norfolk SCITT email addresses for any communication relating to the course.

• Suffolk and Norfolk SCITT trainees use Google Drive as a secure cloud-based data storage solution for information relating to the course. Trainees will upload all course information containing any pupil related information or data (including lesson observations, weekly reflections etc) to the relevant secure Google Drive areas and not keep any such information locally on their own devices.

• Trainees may keep some course information (e.g. lesson plans) in paper based files where this is acceptable under each schools’ data protection policy. Information will be anonymised as far as is possible.

ECTs

• Unless consent is withdrawn, Suffolk and Norfolk SCITT will retain details of ECT personal email addresses to enable on-going support and contact.

Suffolk and Norfolk SCITT Consultants

• All consultants sign the Suffolk and Norfolk SCITT Privacy Statement and have an annual data protection briefing.

• All consultants receive a copy of the Suffolk and Norfolk SCITT Data Protection Policy and sign to say they have read and understood it.

• All consultants will use their Norfolk SCITT email addresses for any communication relating to the course.

• Consultants will use Google Drive as a secure cloud-based data storage solution for information relating to the course. They upload all course information containing any pupil related information or data (including lesson observations, weekly reflections etc) to the relevant secure Google Drive areas and not keep any such information locally on their own devices.

Roles and Responsibilities

The senior information risk owner (SIRO) for the Suffolk and Norfolk SCITT is Anna Richards

They are responsible for:

• Owning and updating this policy

• Owning the risk register

• Advocating information risk management and raising awareness of information security issues

All staff are responsible for ensuring that information is managed according to this policy.

Policy Review

Anna Richards, Executive Leader, and the Suffolk School’s Choice Data Protection Officer, are responsible for monitoring the arrangements set out in this document.

The policy will be reviewed every 2 years.

Written and agreed: May 2018

Updated: August 2018

Reviewed: July 2021

Next Review: August 2022